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Parallel coordinated operations in private domains 
Background of the invention 

5 Technica l field of invar, r-irm 

The present invention concerns in general a method and 
arrangement for performing parallel coordinated actions in a 
first and second private domain respectively. In particular, the 
invention concerns transfer of money from a first private account 
to a second private account. 
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Backgr ound of the invenH nn 

The field of electronic payments is attending much interest, in 
particular the possibilities to perform payments by using a 
mobile device such as a mobile telephone. 

Known methods for electronic financial transactions are 
characterized in that security and authentication are completely 
independent of network support for these functions. The advantage 
of these methods is that the telecommunications network only acts 
as a transport medium for the transactions. However, these 
methods tend to become complex and to depend on a widespread 
deployment of relevant standards. The need for an infrastructure 
and software adapted to many different systems and implemented at 
network nodes and end user equipment prevents a fast introduction 
of these methods. 



30 Besides payments there are other examples of transactions 

involving entities representing an economical value. For example 
distribution of a ticket that allows the ticket holder access to 
certain services, such as downloading or streaming multimedia 
information. A ticket is usually acquired from a ticket server 

35 that performs authentication and accounting of the user. However 
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whereas a traditional printed ticket, acquired by a first user, 
may sometimes be given away to allow a second user access to the 
services with the same rights, there is no such corresponding 
simple management of electronic tickets known from prior art. 

There is, thus, a need for methods that overcome limitations of 
known methods for electronic small payments and, generally, for 
the communication between parties of entities representing an 
economical value. 



Description of related art 

Parallel, co-ordinated operations in two separate domains are 
known from various fields. In the field of telecommunications , 
15 parallel operations are known, e.g., from the field of management 
of telecommunications networks. The patent application W098/36583 
describes management of feature interaction in a 
telecommunications network that includes a plurality of 
interconnected service platforms . Each service platform has a 
20 feature interaction controller that communicates with other 
feature interaction controllers over a signalling network. 
According to an aspect of this document service feature data are 
transmitted from a first service platform to a second service 
platform. The feature data relate to service features active at 
25 the first platform. The feature data identifies one or more other 
service features that have known interworking properties in 
relation to the service features at the first platform. The 
feature controller at the second platform processes the received 
feature data and determines if there is a conflict between 
service features active at the first and second platform 
respectively. The domain in which a feature interaction 
controller operates is not a private user domain but rather a 
control domain associated with a network call management system. 
Thus, the cited document relates to the problem of conflicting 
services and does not disclose or suggest the present invention. 

The document US6170017 discloses a method for co-ordinating 
actions among a group of servers. The method is characterised by 
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having at least a controller server. A user requesting a service 
provided by a server submits a user identity whereby the 
controller server generates authorisation information. The 
authorisation information is saved by at least a server and is 
5 applicable during a conversation session. Thus, a user needs only 
be prompted once for identification information in order to 
request services from the group of servers. In case a service 
involves a plurality of servers for its effectuation the 
controller server co-ordinates the actions at each involved 
10 server. 

The method according to this document is characterised in that 
services are provided an authorised user independent of 
interference from any other user. The disclosed method involves 
only one private domain associated with a single user. 

15 

The field of electronic payments is a well-known example of 
secure parallel co-ordinated operations in private domains of at 
least two parties. In this field there are numerous suggestions 
how to create security in small payments e.g. smart cards, 
20 biometrics sensors, card readers, PKI certificates. Known methods 
for electronic financial transactions comprise establishing 
secure communication usually involving certificates and exchange 
of encryption keys. Proposed standards such as SET and MET are 
based on an infrastructure for public key management, PKI. 

25 

Microsoft with Passport ( htbp : / /www , passport . com ) and Liberty 
Alliance Project ( http : / /www . oro-i ectl ibertv . org ) are 
organisations defining and promoting solutions for parts of 
universal payment services. 

30 

The last mentioned methods are characterised in that their 
usability depends on the deployment of certain standards. 



35 Summary of invention 

A general object of the present invention is to build on existing 
secure and trusted relationships between a user and a service 
provider to provide methods and arrangements for performing a 
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first secure operation in a first private domain of a first user 
and, coordinated therewith, a second secure operation in a second 
private domain of a second user. 

In this document a private domain shall mean a data structure 
5 that is owned by a user. Generally, the data structure includes 
data entities representing a commercial value. A key at least 
known to the user can encrypt the data. Access to the information 
structure requires authentication by the user. A user can allow a 
trusted party to access the information structure on behalf of 
10 the user in order to execute actions using the domain entities. 
Exemplary, a private domain can comprise a user account and a 
trusted party can comprise a bank. 

An object of the invention is to transfer a data entity 
15 representing a commercial value or part thereof from a first 
party to a second party in a secure manner using methods and 
infrastructure already established by interworking 
telecommunication operators . 

20 These and other objects of the present invention are achieved 
through methods and arrangements as claimed. 

According to one aspect of the invention a first user has a 
subscription with a first operator, providing mobile 

25 telecommunication services, and a second user has a subscription 
with said first or a second mobile telecommunications operator. A 
trusted relationship between a user and an operator allows said 
first or second telecommunications operator to perform actions in 
private domains on behalf of first and second users.. According to 

30 the invention, a service request determines a first operation in ■ 
a first private user domain^ and a corresponding second operation 
in a second private user domain, both operations being executed 
in a coordinated manner. Exemplary, a first operation might 
involve decreasing the value of a first account with a certain 

35 amount and the corresponding second operation might involve 

increasing the value of a second account with the same amount. 
Said first and second operator has a mutual trust relationship 
and communicate through a secure signaling channel whereby 
monitoring and control of said operations is achieved. 
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According to another aspect of the invention at least one of the 
mobile phone operators has a trusted relationship with at least a 
service provider that performs said operations in a private 
5 domain. 



Brief description of the drawings 

Figure 1 shows a signaling diagram illustrating the function of 
10 the preferred embodiment. 

Figure 2 is a flow chart illustrating the preferred embodiment. 

Figure 3 shows an alternative embodiment comprising a payment 
15 service. 

Figure 4 shows a general arrangement of a telecommunications 
network . 

20 Figure 5 illustrates an alternative embodiment of the invention. 



Detailed description of the preferred embodiment 

In a first, preferred embodiment a first mobile phone user S-MS 
25 has a subscription with a first operator OP1 . The user, 

therefore, has a secure and trusted communication with the 
operator. It is common in the art to provide a user with a 
security entity, for example a SIM card, when subscribing to 
telecommunication services. The security entity is usually 
30 protected with a password and includes information for 

authentication of user and security of wireless communication. 
A second mobile phone user R-MS has a subscription with a second 
operator OP2 and has a secure and trusted communication with the 
second operator. First and second operator manages respectively 
35 first and second private domains on behalf of first and second 

user and can execute operations on these domains associated with 
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services to which first and second user subscribe. First and 
second operators, further, communicate through a secure and 
trusted signaling channel. 

The secure and trusted communications mentioned above use well- 
5 known methods for authentication and key exchange. 

A better understanding of the preferred embodiment will now be 
obtained from the following detailed description taken in 
conjunction with Figure 1. 

10 An SMS-message Ml at (100) containing a service request is sent 
from a first user mobile terminal S-MS and directed to a second 
mobile user R-MS. Prior to sending the message the first user is 
requested to input a PIN1 code at (180) to access the requested 
service. To facilitate preparation of the message, the user is 

15 entering a dialogue mode prompting the user for data such as 

requested parameter values, PINl-code and a personal message for 
the receiver. Associated with the SMS-message there is a type 
information indicative of a service request. 

The message Ml includes references S-MS and R-MS of sending and 
20 receiving party respectively, a reference R-APP to the requested 
service application, a private message for the receiver P-MSG, 
parameters e.g. parameters PI and P2 , the PIN1 code, and a type 
information M-TYPE. 

As part of a registration to a service a user obtains access to 
25 supportive service logic including a dialogue mode for 

interaction with the service. The service logic is distributed 
including a part at the terminal, e.g. as terminal logic and/ or 
as part of a SIM card, and a network part. The user invokes the 
dialogue by selecting the service at a mobile terminal selection 
30 menu . 

When handling the message the SMS service node SMS-SN reads said 
type information M-TYPE , intercepts the message and forwards it 
at (105) to a first service manager SMI. The service manager SMI 
creates a first service agent (110) . The first service agent 
35 (110) analyses the service request and determines from the 

service reference R-APP a first operation OPER1 to be performed 
in a private domain of first user and a second operation 0PER2 to 
be performed in a private domain of the second user R-MS. 
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The first service agent (110) creates and stores a transaction 
reference T-REF associated with the service request and 
determines an address to a corresponding service manager SM2 at 
operator 0P2 from the reference R- MS to the receiving party. At 
(121) the first service agent establishes a secure signaling 
channel with the service manager SM2 at operator OP2 . 
The first agent (110) then sends a message M2 over the secure 
channel (121) to the service manager SM2 at the second network 
operator OP2 . The message M2 includes at least the transaction 
reference T-REF, identifiers of the first and second users S-MS 
and R-MS, parameters PI and P2, an identification of the service 
R-APP, and an identification of the second operation R-OPER2 . In 
response to receiving said message, the service manager SM2 
performs a check that the second user R-MS subscribes to the 
service at operator OP2 . in confirming subscription, service 
manager SM2 then creates a second service agent (140) . In a 
dialogue communication over the link (121) further information 
relating to the first and second operations are determined e.g 
in accordance with preferences preset by first and second user. 
Thereafter, the second service agent (140) is put in a waiting 
state in which it waits for a response message from the second 
user R-MS. 

The first service agent (110) then modifies the message (100) by 
appending an indication of the second operation R-0PER2 and said 

25 transaction reference T-REF* 

Thereafter, the agent (110) forwards at (115) the modified 
message M3 through the SMS service node SMS-SN of first operator 
OP1 and the communications link (120) that traverses a public 
domain to the second user R-MS. The message M3 , thus, includes 

30 references S-MS, R-MS, transaction reference T-REF, reference to 
service R-APP , reference to second operation R-OPER2, the private 
message P-MSG, and parameters summarized as PX. The agent (110) 
is then put in a waiting state to receive from the second agent 
(140) a message indicating a type of response by the second user 

35 R-MS to said modified message M3 . 

The second user terminal R-MS has means to identify the reference 
to a service R-APP in the received message M3 . The terminal R-MS 
xnvokes, in control of service software at the terminal R-MS and 
in dependence of the reference R-APP and the reference to second 
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operation R-0PER2 , a user interface at the terminal of the second 
user R-MS. The user can read the original personal message P-MSG 
from the first user and the user interface prompts the second 
user for input of a type of response e.g. indicating acceptance 
of execution of the second operation and any further parameters 
The second user R-MS provides at (125) a PIN2 code to verify the 
right to access said service. At (130) the second user sends a 
message M4 to the message service node SMS-SN of the second 
operator OP2 . The message M4 includes message type M-TYPE 
indication of type of response, e.g. ACC indicating acceptance of 
second operation R-OPER2 , further parameter values summarized as 
PX, the transaction identity T-REF, references S-MS and R-MS, 
reference to service R-APP, and the PIN2 code. 

The message service node SMS-SN of second operator recognizes the 
indication of service M-TYPE , intercepts the message and forwards 
it at (135) to the second service manager SM2 . The transaction 
identifier T-REF enables service manager SM2 to associate the 
message with the second service agent (140) . 
The second service agent (140) verifies the PIN2 code and 
transmits at (145) a signalling message to the first service 
agent (110) indicating type of response by R-MS e.g. indication 
of acceptance ACC of the second operation R-OPER2 and any further 
parameter values PX provided by the second user R-MS. The first 
and second service agents, thereafter, order the first and second 
operations manager (150) and (155) respectively to execute first 
and second operation in a co-ordinated manner. 

At (160) a signal exchange between operation managers (150) and 
(155) confirm completed actions. 

At (165) and (170) confirmation messages of completed operations 
are sent to the first and second users S-MS and R-MS 
respectively. Confirmation messages use SMS or e-mail or the 
information is published on a web server for private access. 
The sagnal (145) may comprise other information than an 
acceptance of the second operation. As the agent (140) was 
previously put in a waiting state, the signal (145) can be a time 
release signal. The signal (145) may also indicate a different 
type of response to the modified message by the second user R-MS 
Exemplary, the second user can indicate that second operation is 
not accepted or that the operations should be postponed till a 
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specified time. In all these cases the agent (110) can be 
arranged to act correspondingly e.g. by requesting instructions 
from the first user S-MS. Depending on the outcome of actions by 
the first agent (110) in the above situations further signaling 
(121) may be required to set the state of (140) or to uninstall 
agent (140) in case the transaction is aborted. 
If, for some reason, the first agent (110), being in a waiting 
state, does not receive a signal (145) within a certain time 
predetermined actions are taken such as cancellation of 
transaction or repeating message (115) -(120). 

In Figure 2 there is shown a flow chart illustrating the steps 
involved in the inventive method. At step (210) a message system 
serving a first mobile user receives a message and determines 
from a service indication that it requires processing by an 
associated service manager. 

At step (220) the message is intercepted and forwarded to a first 
service manager identified by an identification of a service 
included in the message. 

At step (230) a first service agent is created. The agent 
identifies the second user and a secure signaling connection is 
established between the first service manager SMI and a second 
service manager SM2 associated with the second user. 
At step (240) the first service agent determines a first and a 
second operation code partly in dependence of information 
exchanged over the signaling channel with the second service 
agent and assigns a transaction reference. 

At step (250) the first service agent modifies the intercepted 
message and sends the modified message to the second user. 
At step (260) the second user is made aware of the operations 
ready to execute in response to second user approving thereto in 
a message to the second service agent. 

At step (270) the second service agent forwards type of response 
e.g. acceptance to the first service agent and the agents 
initiate execution of software corresponding with first and 
second operations code. 

At step (280) confirmation messages are exchanged between the 
agents and with respective user. 



9 



WO 03/107283 



PCT/SE02/01218 



It is readily appreciated that the described method is also 
applicable when the first user S-MS is connected to a mobile 
network as visitor. The visited operator, then, receives an order 
SMS from the visiting client and forwards the order through a 
signalling network to the SMS-server in the home network of the 
first user. The SMS-server identifies the message as a service 
request and processes the message according to the method 
described in relation to Figure 1. 

The indication of service included in an SMS-message can be 
implemented in various ways. A separate SMS-server SMS-SN can be 
used for receiving such messages. The separate SMS-server has an 
address that is part of the service logic at the mobile terminal 
of the first user (S-MS) . The first user, when preparing a 
service request, attaches said address to the message. A suitable 
user interface for preparing a service request is, e.g., created 
by use of SIM toolkit for modification of the SIM-card to include 
such an interface that is downloaded from the service provider. 
Alternatively, an adapted SIM-card is received from the service 
provider at subscription to the service. The service manager, 
e.g. service manager SMI, can be part of the separate SMS-server 
SMS-SN. 

The ordinary SMS-server can also be used to identify a service 
request. In this case the Protocol-Identifier TP-PID as specified 
in the GSM standard GSM 03.40 can be used to indicate that the 
message is a service request. 

It is further apparent for a person skilled in the art that a 
variety of messaging systems can be used in the inventive method. 
The prerequisites for this can be understood from Figure 4 . In 
Figure 4 there is shown a general arrangement of a 
telecommunications network having a radio access. At (410) there 
is a mobile device having a radio connection with a 
telecommunications access network (420) . Within the domain of 
network (420) there is a network component (430) forwarding a 
call to a transport network, e.g. a PSTN network (440) or an IP 
network (450) . Exemplary, the network node (430) is an SMS-server 
or a switching node for a speech-channel connecting to PSTN 
network (440) or it is a gateway node forwarding an SMS-message 
through the IP network (450) . The network node (430) is arranged 
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by the operator of network (420) to intercept a message from 
mobile device (410) for further processing according to the 
invention. 

5 Description of alternative embodiments 

In one embodiment of the invention, a network node, e.g. the 
second agent 140, controls a user interface at the second user 
terminal R-MS. According to this embodiment, the agent (140) when 
receiving the message M4 establishes a dialogue with the user 
10 terminal R-MS e.g. through UUS signaling as specified in the GSM 
standard GSM 02.87, User-to-User Signaling. The message M4, in 
this case, does not include the parameters PX and the type of 
response M-TYPE . These data are instead provided in said 
dialogue . 

15 

In an alternative embodiment, said service is a payment service. 
Users trust the mobile operators to handle small payments that 
relate to e.g. telephone calls, SMS and premium services. Methods 
and infrastructure established by telecommunication operators 

20 involve a trusted relationship between a mobile phone user and an 
operator, a user account with an operator, and a trusted 
relationship between an operator and a financial bank institute. 
With reference to the preferred embodiment, in this alternative 
embodiment said private domains comprise first and second user 

25 private accounts managed by the trusted first and second network 
operators respectively. Said first operation comprises withdrawal 
from the first user account a specified amount and said second 
operation comprises adding the same amount to the second user 
account . 
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When an account balance exceeds or is below certain levels the 
operator requests suitable transfer operations through a bank 
connection. Evidently, there is a need for account balance 
settlements between the involved operators. Such settlements can 
be done through the internal signalling channel (121) and are, in 
fact, part of traditional roaming agreements. 

Apparently, a special case of this embodiment comprises one and 
the same operator being responsible for both first and second 
operations . 

In another embodiment, a payment concerns instant payment of 
merchandise collected at a point of sale. In a first step in 
paying for the merchandise a user transfers the identity of 
his/her mobile phone to the cashier. The cashier compiles a bill 
that is sent to the user as an SMS-message. The user, in response 
to receiving the bill, orders transfer of payment as described in 
relation to Figure 1. The confirmation signal (170) is sent to 
the cashier whereby a verification of the payment can be done and 
the transaction is closed. 

With reference to Figure 3 a further elaboration of the foregoing 
embodiment is illustrated. At (310) a user transfers the identity 
of his/her mobile phone. The transfer of an identity is be made 
through a wireless connection such as an IR connection or 
Bluetooth™ connection or by scanning a label fastened at the 
mobile phone. At (320) the cashier compiles a list of articles. 
The list is sent at (330) as a message to the message handling 
system SMS-SN of the point of sale. The message handling system 
SMS-SN recognizes the message as requiring special treatment and 
forwards it at (340) to a service manager SM2 that creates a 
service agent. Knowing the identity of the mobile phone of the 
user the agent establishes at (350) a signaling exchange with the 
service manager SMI of the user. The service manager SMI creates 
a service agent for the user. The agent returns, through the 
signaling channel (350) , further information relevant for the 
transaction, e.g. availability of a loyalty card and cheap-rate 
tickets. The service agent SM2 can now prepare a bill for the 
user. The bill is sent, through the message handling system SMS- 
SN to the user at (360) . A hash of the message is also sent to 
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the service agent of the user. At reception of the message the 
mobile phone, using executable service code, provides at (370) a 
user interface to the user. The user enters any further 
information including a PIN-code to accept the bill. The user 
sends a message at (380) to the message handling system at 
operator OP1 of the user that intercepts the message and forwards 
it to the service manager. The service manager associates the 
message with the waiting service agent. The agent confirms 
acceptance of bill and calculates its hash value. The 
confirmation and the hash value are transferred to the service 
manager of the point of sale over the signaling channel (350) . 
The second service agent verifies that billing data has not been 
manipulated and initiates execution of indicated operations 
including withdrawal of money from user account, crediting point 
of sale account, updating loyalty card, and marking any used 
cheap-rate tickets. First and second agents exchange signaling 
messages indicating completion of operations and initiate 
confirmation messages at (390) to the customer respectively the 
cashier. 

In an alternative embodiment, said service is a ticket service 
and said private user domains comprise storage locations for 
tickets. By presenting a ticket to a service provider the ticket 
owner is allowed access to services. A ticket includes, 
therefore, security keys for secure communication with the 
service provider. Other information in the ticket specifies what 
rights the ticket owner has e.g. period of validity and number of 
times a certain service may be used. According to this embodiment 
a service provider trusts the operators, e.g. operators 0P1 and 
0P2, to manage tickets on behalf of the service provider. The 
operators might exemplary issue new tickets or perform parallel 
coordinated operations as described above to transfer rights from 
a first ticket owner to a second ticket owner. Exemplary, a 
ticket owner associated with operator OP1 and having the right to 
use a certain service N times might transfer the right to use 
this service M times (M<N) to a second ticket owner associated 
with operator OP2 . Thus, in a parallel coordinated operation the 
first ticket value is changed to N-M and a second ticket is 
created with value M. 
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It is readily appreciated that a ticket may relate to a variety 
of services such as right to download data or right to initiate 
streaming of data. A ticket may also relate to a voting system 
and the service may comprise placing vote or transferring votes 
5 to another party for proxy voting. 

In Figure 5 there is illustrated still another embodiment 
characterized by an intermediate trusted unit (510) . Like 
denotations in Figure 5 and Figure 1 denote like objects. It is 

10 readily recognized that, in the case of a plurality of operators 
0P1 - Opn offering services according to the invention, there 
must be secure and trusted relationships between any pair of 
these n operators. In the present embodiment, each operator, e.g. 
OP1 and OP2, has a trusted relationship with the unit (510) . 

15 Thereby a n x n relationship complexity is reduced by factor n. 
The unit (510) is trusted to perform first and second operations 
in response to receiving signal (105) over a secure signaling 
channel from the first, initiating operator OPl. At (135) the 
unit (510) receives from second operator 0P2 a signal over a 

20 secure signaling channel, e.g. acceptance by user R-MS, for 

control of further actions. The unit (510), in the absence of 
signal (135) within a certain time, may take predetermined 
actions . 

25 An alternative embodiment comprises the first and second 

operations being performed by independent service providers. In 
this embodiment there is a trusted relationship between the 
operators OPl and 0P2 or between the entity (510) and the 
independent service providers. With reference to Figure 1, 

30 operation manager 1 and operation manager 2 exchanges signaling 
messages with independent service providers for initiation of 
first and second operations. Thus, this embodiment entails the 
operators performing AAA functions, i.e. Authorization, 
Authentication and Accounting. 

35 

Having thus described the invention it is appreciated for a 
person skilled in the art that the invention encompasses numerous 
variations and modifications and that the various embodiments 
included herein shall be understood as exemplary. 
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